CVSS: 9.8EPSS: 35%CPEs: 189EXPL: 0CVE-2017-14100 – Gentoo Linux Security Advisory 201710-29
https://notcve.org/view.php?id=CVE-2017-14100
02 Sep 2017 — In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from... • http://downloads.asterisk.org/pub/security/AST-2017-006.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 189EXPL: 0CVE-2017-14099 – Asterisk Project Security Advisory - AST-2017-008
https://notcve.org/view.php?id=CVE-2017-14099
02 Sep 2017 — In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by d... • http://downloads.asterisk.org/pub/security/AST-2017-005.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 3%CPEs: 50EXPL: 0CVE-2017-9372 – Debian Security Advisory 3933-1
https://notcve.org/view.php?id=CVE-2017-9372
02 Jun 2017 — PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (buffer overflow and application crash) via a SIP packet with a crafted CSeq header in conjunction with a Via header that lacks a branch parameter. PJSIP, tal como es usado en Asterisk Open Source versiones 13.x y anteriores a 13.15.1 y versiones 14.x y anteriores a 14.4.1, Certified Asterisk versión 13.13 y a... • http://downloads.asterisk.org/pub/security/AST-2017-002.txt • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 42EXPL: 0CVE-2017-9359 – Debian Security Advisory 3933-1
https://notcve.org/view.php?id=CVE-2017-9359
02 Jun 2017 — The multi-part body parser in PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. El analizador multi-part body en PJSIP, tal como es usado en Asterisk Open Source versiones 13.x y anteriores a 13.15.1 y versiones 14.x y anteriores a 14.4.1, Certified Asterisk versión 13.13 y anteriores a 13.13-ce... • http://downloads.asterisk.org/pub/security/AST-2017-003.txt • CWE-125: Out-of-bounds Read •
CVSS: 8.8EPSS: 18%CPEs: 61EXPL: 0CVE-2017-7617
https://notcve.org/view.php?id=CVE-2017-7617
10 Apr 2017 — Remote code execution can occur in Asterisk Open Source 13.x before 13.14.1 and 14.x before 14.3.1 and Certified Asterisk 13.13 before 13.13-cert3 because of a buffer overflow in a CDR user field, related to X-ClientCode in chan_sip, the CDR dialplan function, and the AMI Monitor action. La ejecución remota de código puede ocurrir en Asterisk Open Source 13.x en versiones anteriores a 13.14.1 y 14.x en versiones anteriores a 14.3.1 y Asterisk certificado 13.13 en versiones anteriores a 13.13-cert3 debido a ... • http://downloads.asterisk.org/pub/security/AST-2017-001.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2016-9937
https://notcve.org/view.php?id=CVE-2016-9937
12 Dec 2016 — An issue was discovered in Asterisk Open Source 13.12.x and 13.13.x before 13.13.1 and 14.x before 14.2.1. If an SDP offer or answer is received with the Opus codec and with the format parameters separated using a space the code responsible for parsing will recursively call itself until it crashes. This occurs as the code does not properly handle spaces separating the parameters. This does NOT require the endpoint to have Opus configured in Asterisk. This also does not require the endpoint to be authenticat... • http://downloads.asterisk.org/pub/security/AST-2016-008-13.diff • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.3EPSS: 1%CPEs: 146EXPL: 0CVE-2016-9938
https://notcve.org/view.php?id=CVE-2016-9938
12 Dec 2016 — An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that ... • http://downloads.asterisk.org/pub/security/AST-2016-009.html • CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 6%CPEs: 113EXPL: 0CVE-2016-7551 – Debian Security Advisory 3700-1
https://notcve.org/view.php?id=CVE-2016-7551
26 Oct 2016 — chain_sip in Asterisk Open Source 11.x before 11.23.1 and 13.x 13.11.1 and Certified Asterisk 11.6 before 11.6-cert15 and 13.8 before 13.8-cert3 allows remote attackers to cause a denial of service (port exhaustion). chain_sip en Asterisk Open Source 11.x en versiones anteriores a 11.23.1 y 13.x 13.11.1 y Certified Asterisk 11.6 en versiones anteriores a 11.6-cert15 y 13.8 en versiones anteriores a 13.8-cert3 permite a atacantes remotos provocar una denegación de servicio (agotamiento portuario) Multiple vu... • http://downloads.asterisk.org/pub/security/AST-2016-007.html • CWE-399: Resource Management Errors •
CVSS: 6.5EPSS: 8%CPEs: 288EXPL: 0CVE-2016-2232 – Debian Security Advisory 3700-1
https://notcve.org/view.php?id=CVE-2016-2232
22 Feb 2016 — Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1 and Certified Asterisk 1.8.28, 11.6 before 11.6-cert12, and 13.1 before 13.1-cert3 allow remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via a zero length error correcting redundancy packet for a UDPTL FAX packet that is lost. Asterisk Open Source 1.8.x, 11.x en versiones anteriores a 11.21.1, 12.x y 13.x en versiones anteriores a 13.7.1 y Certified Asterisk 1.8.28, 11.6 en ver... • http://downloads.asterisk.org/pub/security/AST-2016-003.html •
CVSS: 7.1EPSS: 0%CPEs: 290EXPL: 1CVE-2016-2316 – Debian Security Advisory 3700-1
https://notcve.org/view.php?id=CVE-2016-2316
22 Feb 2016 — chan_sip in Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1 and Certified Asterisk 1.8.28, 11.6 before 11.6-cert12, and 13.1 before 13.1-cert3, when the timert1 sip.conf configuration is set to a value greater than 1245, allows remote attackers to cause a denial of service (file descriptor consumption) via vectors related to large retransmit timeout values. chan_sip en Asterisk Open Source 1.8.x, 11.x en versiones anteriores a 11.21.1, 12.x y 13.x en versiones anteriores a 13.7... • http://downloads.asterisk.org/pub/security/AST-2016-002.html • CWE-191: Integer Underflow (Wrap or Wraparound) •